Linux CA plus decryption security process explained

First, the basic knowledge

Symmetric encryption:

The encryption and decryption parties use the same key to solve the data confidentiality, but the way the key is passed to the other party is not easy to implement;

Public Key cryptography:

Keys are paired, secret key (key) and public key (public key) must be decrypted with their corresponding private key, the public key is extracted from the private key, there is a private key to know what the public key is, but know that the public key can not know the private key, the public key is public, The private key is not public, but the public key encryption is 3 orders of magnitude (1000 times times) slower than symmetric encryption, the encryption speed is quite slow, so it is more difficult to use this encryption method alone; Public Key cryptography features:

One-way encryption:

Not really to implement encryption, but to extract data signatures, to verify the integrity of the data, he has an avalanche effect ((Butterfly Effect): The source data is a little different, the results vary greatly) and the fixed-length output (through single-phase encryption of the result length of the same) characteristics;

Common algorithms for one-way encryption:

Md5:message Degist, developed by the MIT AI Lab, fixed-length output

128bit;

Md5sum: Calculates the characteristic value of the file MD5 format;

Sha1:secure Hash algorithm 1, fixed length output 160bit;

SHA256: The longer the length, the greater the change;

SHA512: The longer the length, the greater the change;

Second, the encryption process:

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" wps_clip_image-9482 "border=" 0 "alt=" wps_clip_image-9482 "src=" Http://img1.51cto.com/attachment/201408/2/8400375_1406970986AxKC.png "height=" 303 "/ >

1. The sender uses one-way encryption algorithm to calculate the characteristic code of the data;

2. The sender uses its own private key to encrypt the feature code and add it to the tail of the data;

3, the sender generates a symmetric key;

4. The sender uses this symmetric key to encrypt the data and encrypt the characteristic code;

5. The transmitting party encrypts the symmetric key with the public key of the receiver, attaches it to the tail of the cipher, and sends it;

Decryption process:

1. The receiving party decrypts the encrypted symmetric password with its own private key;

2. The receiving Party uses the password to decrypt the text;

3, the receiver uses the sender's public key to decrypt the sender's private key encryption signature;

4, the receiver uses the same one-way encryption algorithm to calculate the original data signature;

5, the receiver compares two sections of the signature code;

Sender: Calculate data eigenvalues----> encrypt eigenvalues with private key---> randomly generate passwords symmetric encrypt entire data---> Encrypt passwords with receiver public key
Receiver: Decrypt the password with the private key----> decrypt the entire data----> verify identity with public key----> Compare data eigenvalues

Third, the role of CA certificate

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" wps_clip_image-29214 "border=" 0 "alt=" wps_clip_image-29214 "src=" Http://img1.51cto.com/attachment/201408/2/8400375_1406970993USJ9.png "height=" 244 "/ >

CA Certificate Model

1 key exchange, also known as ike:internet key exchange Internet Key exchange;

2, digital signature, for authentication, anti-repudiation;

We find that the above encryption method relies heavily on the other party's public key, and how to determine the other party's public key, so this requires a specialized agency to ensure the legitimacy of the source of public key and give each other a digital certificate, in fact, the digital certificate is like our own * * *, and that specialized agency is like to give us * * * The public security organs like, below to say

Digital certificates and CAS (certificate authority);

Digital Certificate contains the certificate owner information and the public key as well as the CA's signature and additional CRL (certificate revocation list);

CA (certificate Authority): Extracts the signature of the certificate data using the one-way encryption algorithm of the certificate, then encrypts the signature with its own private key and appends it to the tail of the data; CA is divided into public CA and private CA two kinds

Pki:

Public key Infrastructure is the core framework for the realization of modern Internet e-commerce, it is only a specification, its core is CA, there are key verification and password exchange mechanism to ensure that the verification process is reliable.

SSL (Secure Socket Layer) Secure sockets layers;

Iv. Linux encryption and decryption technology

In the PCP5 layer model of the AL (Application layer) and TL (Transport layer) in the middle of the addition of a half layer is SSL, in fact, SSL is only a protocol, need to rely on other software to present, this software in Linux is the most common and popular is OpenSSL, the current OpenSSL software version

Here are a few:

SSLV1 has been abandoned;

Sslv2 is currently in use;

SSLv3 is currently in use;

Tls:

Transport Layer Security (Transport layer Secure) protocol, most commonly used is the TLSV1 version (with the SSLv3 ERA);

There are two commonly used encryption and decryption tools on Linux:

1, GPG realization RPM package signature is more commonly used;

2, the implementation of the open source version of OpenSSL SSL, a total of three components:

1) Libcrypto Universal Library;

2) LIBSSL implementation of SSL and TLS protocol;

3) OpenSSL multi-purpose cryptographic components;

Here we focus on OpenSSL:

OpenSSL is a multi-purpose cryptographic component, a command-line tool that can implement symmetric encryption algorithms, asymmetric encryption algorithms, one-way encryption algorithms, as a simple CA (OpenCA), and its dependent configuration file defaults to/etc/pki/tls/ OPENSSL.CNF can also be defined by itself; OpenSSL as a simple CA whose certificate format is x509 (more generic, defines the format of the certificate, similar to pkcs#10), pkcs#12 and pkcs#17 define how the certificate is stored in the format ; OpenSSL can also implement the conversion of the certificate format.

Common Tools for OpenSSL:

1. Confidentiality of data
Information encryption is to convert the plaintext input file into an encrypted file using an encryption algorithm to achieve the confidentiality of the data. The encryption process requires a key to encrypt the data and then decrypt it. Without the key, you cannot unlock the encrypted data. After the data is encrypted, only the key must be transmitted in a secure way. Encrypted data can be transmitted in a public manner.

2. Consistency of data
Encryption also ensures consistency of data. For example: Message verification Code (MAC), the ability to verify user-provided encryption information, the receiver can use the MAC to verify the encrypted data, to ensure that the data has not been tampered with during transmission.

3. Security verification
Another use of encryption is used as a personal identity, and the user's key can be used as the identity of his security verification. SSL is a cryptographic protocol that leverages public key cryptography (RSA) as the encrypted communication protocol between the client and server when transmitting confidential information.

Five, the experiment

OpenSSL establishes a private CA:

1. Generate key

2. Self-signed certificate

Node:

1, generate key pair child

2. Generate Certificate Signing request

3. Send the request to the CA

Ca:

1. Verify the information of the requestor;

2, sign the certificate;

3. Send the signed certificate to the requesting person;

First, establish the CA server:

1. Generate key

# (Umask 077; OpenSSL Genrsa-out/etc/pki/ca/private/cakey.pem 2048)

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" wps_clip_image-25335 "border=" 0 "alt=" wps_clip_image-25335 "src=" Http://img1.51cto.com/attachment/201408/2/8400375_14069710020hEG.png "height=" 252 "/ >

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" wps_clip_image-31320 "border=" 0 "alt=" wps_clip_image-31320 "src=" Http://img1.51cto.com/attachment/201408/2/8400375_1406971017q7Vx.png "height=" 202 "/ >

2. Self-signed certificate

Req: Generate certificate Signing request

-news: New Request

-key/path/to/keyfile: Specifying a private key file

-out/path/to/somefile:

-x509: Generate self-signed certificate

-days N: Active days

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" wps_clip_image-24547 "border=" 0 "alt=" wps_clip_image-24547 "src=" Http://img1.51cto.com/attachment/201408/2/8400375_1406971027mu3R.png "height=" 269 "/ >

3. Initializing the Working environment

# touch/etc/pki/ca/{index.txt,serial}

# echo >/etc/pki/ca/serial

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" wps_clip_image-12267 "border=" 0 "alt=" wps_clip_image-12267 "src=" Http://img1.51cto.com/attachment/201408/2/8400375_14069710313NSX.png "height=" 64 "/ >

Second, the node application certificate:

(i) Node generation requests

1, generate key pair child

# (Umask 077; OpenSSL genrsa-out/etc/httpd/ssl/httpd.key 2048)

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" wps_clip_image-29385 "border=" 0 "alt=" wps_clip_image-29385 "src=" Http://img1.51cto.com/attachment/201408/2/8400375_1406971042lqYD.png "height=" 190 "/ >

2. Generate Certificate Signing request

# OpenSSL REQ-NEW-KEY/ETC/HTTPD/SSL/HTTPD.KEY-OUT/ETC/HTTPD/SSL/HTTPD.CSR

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" wps_clip_image-12925 "border=" 0 "alt=" wps_clip_image-12925 "src=" http://img1.51cto.com/attachment/201408/2/8400375_14069710537UoE.png "height=" 245 "/ >

3. Send the signature request file to the CA service

# SCP

(ii) CA sign Certificate

1. Verify the information in the certificate;

2. Signing certificate

# OpenSSL Ca-in/path/to/somefile.csr-out/path/to/somefile.crt-days N

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" wps_clip_image-14060 "border=" 0 "alt=" wps_clip_image-14060 "src=" Http://img1.51cto.com/attachment/201408/2/8400375_1406971059shSs.png "height=" 206 "/ >

3, sent to the requestor;

Iii. Revocation of certificates

(a) node

1, obtain the certificate serial

# OpenSSL X509-in/path/to/certificate_file.crt-noout-serial-subject

(ii) CA

2, according to the serial and subject information submitted by the node to verify that the information in the Index.txt file is consistent;

3. Revocation of certificates

# OpenSSL Ca-revoke/etc/pki/ca/newcerts/serial.pem

4. Generate the number of the revocation certificate (if it is the first revocation)

# echo >/etc/pki/ca/crlnumber

5. Update the certificate revocation List

# cd/etc/pki/ca/crl/

# OpenSSL Ca-gencrl-out thisca.crl

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" wps_clip_image-2476 "border=" 0 "alt=" wps_clip_image-2476 "src=" Http://img1.51cto.com/attachment/201408/2/8400375_1406971067q1Dy.png "height=" 195 "/ >

If necessary, view the contents of the CRL file:

# OpenSSL Crl-in/path/to/crlfile.crl-noout-text

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" wps_clip_image-12592 "border=" 0 "alt=" wps_clip_image-12592 "src=" Http://img1.51cto.com/attachment/201408/2/8400375_1406971075PvB3.png "height=" 156 "/ >

650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" wps_clip_image-23438 "border=" 0 "alt=" wps_clip_image-23438 "src=" Http://img1.51cto.com/attachment/201408/2/8400375_14069710836suC.png "height=" 181 "/